When news broke last week that drive-by malware exploiting a known Java vulnerability had infected first 300,000 then as many as Dr. Web, a little-known Russian computer security firm. Who were these folks, and how did they come up with the number?
However, Dr. Web’s estimate of the number of infected Macs is holding water: although other security firms haven’t yet produced their own independent estimates of the rates of Flashback infection, plenty of infected machines are being found, and so far most agree Dr. Web’s methodology seems sound. Dr. Web used a “sinkhole” approach, redirecting all traffic intended for Flashback’s command-and-control servers to another system that deciphered the reports from infected machines and pulled out the Macintosh UUIDs—unique identification codes—for analysis. This method is more comprehensive than a simple analysis of IP addresses, since (particular on home networks and organizations’ internal networks) hundreds of machines can conceivably share the same IP number.
Dr. Web has released a simple lookup tool that claims to let folks determine if a particular Mac has been detected as a system infected with Flashback. Users just get their Mac’s UUID (available in the Hardware section of System Information: choose Apple > About this Mac, then More Info to launch System Information). Note that UUIDs are not serial numbers: Dr. Web isn’t asking for users to enter their serial numbers.
If the infection rates published by Dr. Web are accurate, that means the overall infection rate in the Macintosh ecosystem is a bit over one percent—common industry estimates put the number of active Macs in use at about 45 million. F-Secure analysts Mikko Hypponen noted via Twitter that transates to an infection rate over one percent. In theory, that would make Flashback as common on Macs as Conficker was on Windows.
Antivirus developer Intego believes the Flashback malware was created by the same folks who made the MacDefender trojan horse, which published detailed instructions on how to determine if a Mac is infected, as well as background information on how the Flashback malware operates.